Friday, July 24, 2009

Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evening of July 22nd we began to receive Postcards from thousands of our friends, that we didn't even know we had!

Each of these websites offers you the opportunity to download your postcard:

The "postcard" link actually downloads a program which infects your computer with "Zeus Bot" software, which allows the criminal to steal all of your passwords for your bank, email, FTP sites, social networking sites, etc.

Even if you are "smart" and don't download and run the "postcard.exe" program, the cyber criminal has placed other traps on his website. In this case, there is a hidden "iframe" on the page, which causes your computer to open a "hidden window" and run whatever commands are located on the website:

evgard.ru/img/in.php

These websites are part of a group of "fast flux hosted" domains, which the anti-phishing community has been calling "Avalanche" because of their similarity to the old Rock Phish criminal campaign. "Fast Flux" domains actually resolve to the IP addresses of innocent victim computers who have a "web proxy" secretly running on their computer. Our cybercrime researchers at UAB have identified more than 3,700 computers that have served as the "web proxy" for these campaigns so far, including several hundred computers in the United States. Each of those proxies looks up the real criminal website, and forwards the information back to their visitors, so that the victim never actually touches the criminal's true computer, only the web proxy of another victim.

Most recently this group has been used for a few different campaigns including:

They are able to sustain such a high throughput of phishing - those counterfeit bank websites which trick you into giving up your password - because they have an elaborate back end for laundering their money. An army of Americans have chosen to sign up for them to work as "money mules". Rather than taking the risk of performing the financial transactions themselves, the criminals have recruited people with different spam for "work at home" jobs to do the deed for them.

Here's an advertisement being offered currently by these same criminals:

In this case, they promise that you can be a "work at home" Customer Service Specialist, earning $27 per hour "+ a bonus per processed transaction".

Those "processed transactions" work like this.

1) They send someone a spam message with a link to a fake bank website

2) The victim gives up their userid and password on the fake website

3) The criminal logs in to the real bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule.

4) The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves.

In the new "ZBot" version of this scam, only step 1 changes. You no longer have to visit a fake bank website. Once you have the ZBot malware installed on your computer, the criminal gets your password when you visit your bank's real website. If you have multiple banks and multiple credit cards, the criminal will eventually have passwords to them all as you log in to multiple accounts. This is also true for business accounts. Brian Krebs recently reported how Bullitt County Kentucky lost $415,000 by having it transferred out of their own bank accounts and sent to dozens of Money Mules. The mules each received between $7,000 and $9,900 per transaction, and then wired most of that money overseas.

How prevalent is ZBot? IDG's Ellen Messmer reported this week in her article America's Ten Most Wanted Botnets that Zeus Bot now has 3.6 Million infected victims in the United States, slightly ahead of the 2.9 Million infected with Koobface.

That's 3.6 Million Americans whose computers and financial transactions are being spied upon by Russian criminals.

Do we know its Russian? ZeusBot is actually a system for stealing website data from victims. It comes complete with a nice Graphical User Interface for keeping track of your infected machines, and tools to allow you to prioritize certain banks that are of highest interest to you. At any given moment there are more than 400 distinct command & control sites active for Zeus, so its possible there are many criminals involved. However, the ZeusBot system is written in Russian, as are the users manuals. Some of those controllers are in the United States, and we encourage US Law Enforcement to do everything they can to get to the bottom of this situation.

Your friends in Computer Forensics Research and the security industry can help. Just ask.

SAFETY UPDATE

ATTENTION NETWORK ADMINISTRATORS!!!If you are observing traffic to the following netblock please contact me at gar@cis.uab.edu. Thank you!

91.213.72.0/24

This netblock is where the Zeus controller for the postcards malware is sitting. Its already shifted several times this week, but included:

Wednesday, July 22, 2009

One hour ago at the National Press Club, the Partnership for Public Service presented its report "Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce". Participating in the presentation were:

A copy of the 36 page report, co-authored with Booz Allen Hamilton, is available from OurPublicService.org.

The first, and most important, of the four challenges described in the report is ...

1) The pipeline of potential new talent is inadequate.

The report says that only 40% of various hiring decision makers in federal agencies are "satisfied or very satisfied" with the quality of applicants applying for federal cybersecurity jobs and only 30 percent are satisfied or very satisfied with the number of qualified candidates who are applying. The need is for "closer to 1,000 graduates a year" to fill these jobs, as opposed to the current 120 graduates provided through the Scholarships for Service program.

A couple quotes from the report:

Defense Secretary Robert Gates has stated that the Pentagon is "desperately short of people who have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to address it." ... Three-fourths of CIOs, CISOs, IT hiring managers, and HR professionals surveyed for this report said attracting skilled cybersecurity talent would be a "high" or "top" priority for the next two fiscal years.

Much like our government did during the space race, the White House should lead a nationwide effort to encourage more Americans to develop technology, math and science skills. In conjunction with this effort, Congress should fund expansion of the successful programs that provide graduate and undergraduate scholarships in computer science and cybersecurity fields, such as the Scholarship for Service program, in return for a commitment to government service.

Victor Piotrowski, who heads the Scholarship for Service program, says there are currently 870 students who have graduated from the program over its lifetime, and that there are 225 students currently enrolled in the program nationally. The pipeline currently produces 120 students per year, but Victor says the need is for "between 500 and 1,000 such graduates" every year. His program is currently funded at $12 Million per year, although the Cyber Security Act of 2009, proposed by Senator Jay Rockefeller from West Virginia, would raise that to $300 million over five years.

The report also quotes Alan Paller from SANS Institute, who says "There is a radical shortage of people who can fight in cyber space -- penetration testers, aggressors, and vulnerability analysts. My sense is it is an order of magnitude short, a factor of 10 short."

Other agencies quoted in the report describe that they are being "outbid by other agencies", and that the existing pool gets snapped up by the "FBI, NSA, and DHS", leaving other federal agencies without the talent they need.

The Pentagon has estimated that their military, civilian, and contractor workforce dedicated to cybersecurity positions is 90,000 personnel, while the non-DOD cybersecurity workforce is estimated at between 35,000 to 45,000. The Intelligence community, who we have seen takes "the majority" of new hires, has a classified number of workers in this space as well.

Other critical concerns raised by the report are that . . .

- The Hiring Process is Broken - Government Lacks Clear Definitions for Cybersecurity Jobs - No Career Path for Cybersecurity Workers - Pay Limitations Make It Harder for Government to Compete for Top Talent

From my position as the Director of Research in Computer Forensics at the University of Alabama at Birmingham I'm focusing on trying to do our part to help. Students who come through our program will have a solid foundation in the basics of information assurance that are taught in the core of our program, such as Internetworking, Computer Security, Network Security, etc., but we then specialize in addressing the needs of future cybercrime investigators.

In "Law, Evidence and Procedure", students get a broad look at our Justice system and how cases move through it.

In "Introduction to Computer Forensics" we then explain how a computer security "incident" fits into that framework and how the rules they heard about in LEP apply to the specifics of cybercrime cases and cases involving digital evidence.

In "Cybercrime & Forensics" students explore the side of Computer Forensics which we call "Media Forensics", learning about how files are stored on disks, and getting practical experience using the same tools they will encounter in the field, duplicating hard drives to create a forensic working copy, understanding the structure of FAT and NTFS file systems, learning to recover deleted files, crack passwords, decrypt files, and thoroughly document a piece of digital media using tools such as EnCase.

In "Investigating Online Crime" students explore the other side of Computer Forensics which we call "Network Forensics", meaning how the various computers involved in a case interact with one another. From a legal process perspective, this course introduces the students to various tools to retrieve data from providers, including subpoenas, search warrants, etc, as well as what burden of proof is required for each, and for the indictment. Guest speakers include both local and federal law enforcement, and both local and federal prosecutors who share details of actual cases with the students, stressing WHY certain information was required to move their case forward, and any legal or technical barriers that had to be overcome. Students create original applications for analysing cybercrime and digital evidence, and work with Analyst tools, including I2 Analysts Notebook and Maltego to prepare mock presentations for investigators, prosecutors, judges, and juries to document a wide variety of cases.

Top students in our program are also invited to join our research team, where we have active projects working on real cases related to Spam, Phishing, Malware, and website attacks.

I'm excited to see the focus being brought on the great need for graduates who can take on these Cyber Security positions, and hope that many potential graduates will come join us at UAB to prepare themselves for those jobs. Our Certificate in Computer Forensics is available with the Masters or PhD in Computer & Information Science, or with the Masters in Criminal Justice.

Tuesday, July 21, 2009

Some folks saw this ABC News story yesterday, and sent me surprised questions that I hadn't blogged about it, so, here is the after-the-fact blog about a situation that is still continuing.

(click for ABC News story)

The story actually goes much bigger than that. Sure there are lots of people who have "erin andrews peephole photos" links on Twitter, and almost all of them are pointing to a virus, as we mentioned in the ABC News story.

As we've discussed several times in the past, this is another case of shortened URLs taking you to unknown pages, and Twitter training us all to blindly follow the link. Many of the links we've checked out all go to the same place. So, for example:

Attempting to play the video there actually redirects you to a malware page where you will grab a link to the website lyy-exe.com and download a piece of malware called onlinemovies.40014.exe.

When we first scanned the malware yesterday morning, VirusTotal indicated that it was detected by four of 41 anti-virus products. By last night that was up to 10 of 41, and this morning when we rescanned (July 21st) the detection rate was XXXXXXXXXX

The rest of the story comes out as we look at the other posts made by some of the people who were posting links to the malware. We decided to grab a few that have posted in the past two hours, and see what else they were posting. Here's our sample group:

It looks like the malware may actually be creating its own Twitter accounts, as these accounts for the most part have no followers, and are following no one. They seem to be depending on the fact that people actually "search" twitter, and their results will be found among the other results. This really points out the fact that Twitter needs to do something more than just their current LIFO (Last In First Out) search. If you search for a term, and I am the last person to post something with that term, you will see MY post, even if nobody follows me at all, even if I am an account that was created thirty minutes ago. Wouldn't it make more sense to see what the people are saying who are at least being followed by SOMEONE?

estefanikime has 0 followers and follows no one. Her recent news stories point to the sites: legalmusic4all.com (an illegal music site hosted on NetDirekt in Germany) fusionstories.com (an entertainment blog hosted on NetDirekt in Germany)

When ABC News called yesterday, I was on my way to teach a class for the University of Alabama at Birmingham (UAB)'s Computer Forensics program. The course is called "Investigating Online Crime", and is a mix of Computer & Information Science and Criminal Justice students who are interested in careers in cybercrime investigations. I had been looking for an example for them to work on digging into a case using a variety of online tools, and Maltego from Paterva. I did a quick change-out on the case we would look at, and asked them to follow their leads on this one instead. They certainly found some interesting things!

With ten minutes to go before class, I also asked one of my graduate students, Malware Analyst Brian Tanner, to run a quick dynamic analysis of the malware in the lab. He pulled out some IP addresses of interest for the malware and some of the students included those IP addresses and domain names in their Maltego charts as well. Here are some of the sites that the malware connects to immediately after launching:

After this basic setup, the malware infected box goes nuts doing advertisement clickfraud, jumping back and forth between a variety of search sites, and following the resulting links, such as "homesearchnova.com" and "top100search.com" and "www-news-today.com" and "ad.reduxmedia.com" and "ad.yieldmanager.com" and "abcsearch.com" and "lucky5forme.com"

In our particular case, we were for some reason doing a lot of "Bollywood" related traffic, doing searches such as "hindi film actor photo" and ending up following links to places like "bollywoodhungama.com"

Someone interested in Advertising Click-Fraud may want to dig into this particular malware much more deeply.

Some of the other interesting clusters the students found were based on nameserver - for instance the nameserver "ns1.alvobs.com" is used by many domains which seem to be involved in tricking people into infecting themselves. Here are some of the domain names that they found were being actively visited:

Many of these sites have already been shut down due to malware complaints. Hopefully Directi will look into the others as well.

One of the students ran the WHOIS on many of these domains and noticed that in addition to having invalid phone numbers (such as Tasha Chambers in Kearns Utah, who has the telephone: Tel. +001.98985647689) the pattern was to make either a gmail or a yahoo address using the first portion of the first and last names, so we had whois name/email pairs such as:

Almost all of the domains that were owned by the people above had been terminated. Almost all of the domains registered to "PrivacyProtect.org" had NOT been terminated - which is probably because PrivacyProtect makes it hard to lodge a complaint based on the fact that the domain has false WHOIS information.

After class, Brian got back into the lab to prove to me why he was better than the "automatic unpacker" I had used in class. As usual, he was amazing. He stepped through the malware with a debugger until it had unpacked itself fully into memory, and then dropped the image from memory to reveal even more hard-coded website names, including:

superarthome.comandrobert-art.com

which seem to be "backup" command & controls. When we launched we sent a string "/senm.php?data=" to "myart-gallery.com", but apparently if that domain is unavailable, the code will try "robert-art.com" or "superarthome.com" instead.

Wednesday, July 15, 2009

We've previously warned about the dangers of following "Tiny URLs" on Twitter. With only 140 characters to use in your message, many Twitterers use URL shortening services to save their precious characters. Unfortunately, for most people you have no idea where that click is going to take you until you click on it and get forwarded by the URL shortening service. Its a bit like playing Russian roulette. Click the shortened URLs, and you may get informative news stories, insightful blog articles, pornography, or a new virus!

At the UAB Spam Data Mine we've seen a few of these Tiny URLs used in spam, but now we have our first major campaign that is exploiting them in a highly organized way.

Bingo Palms has a current spam campaign underway which involves a large number of these URL shorteners, including:

So far we've seen almost a thousand of these spam messages, and have encountered 453 unique URLs at this point. Here are the subjects that are being used in this spam campaign:

Subject: $10 free depositSubject: $5000 Jackpot waiting for you!Subject: 200% bonus on every depositSubject: 75 and 90 Ball BingoSubject: Become A Bingo HustlerSubject: Become A Winner TodaySubject: Become A Winner With BingoSubject: b-i-n-g-o for you!Subject: Bingo has never been easier.Subject: Bing-o Was Her Name-oSubject: Do you like to play bingo online?Subject: Enjoy Bingo OnlineSubject: Ever wanted to play Bingo for Cash ?Subject: Gamble online? Read me!Subject: Gamble With BingoSubject: Gamble? Like to play online?Subject: Hot 9-Real SLot Machines! $25,000 JackpotSubject: Hustle Online. Play Bingo.Subject: Like Bingo? Win $Subject: Nickel, Dime, Quarter, & High Roller Games!Subject: Nightly Events for CASH PrizesSubject: Online diplomas here.Subject: Play Bing0 OnlineSubject: Play Bingo NowSubject: Play Bingo TodaySubject: play onlineSubject: Play Online NowSubject: Play Online, Win TodaySubject: Someone has invited you to a game of BingoSubject: Something For You. Play Online.Subject: Vehicle Warranty - 60% offSubject: Want to play bingo online and win CASH ?Subject: Win With BingoSubject: You have been invited to a Bingo game!

We see this campaign as a dangerous precedence which could be followed by other spammers to make our efforts to block their spam more difficult. As one would expect, the spammer, in addition to cheating the affiliate program, and offering "probably illegal" gambling to his email recipients, is delivering his spam message through a world-wide botnet of compromised computers. Just in our spam samples, we have spam for this campaign sent from 698 different computers in 43 different countries around the world.

Despite a broad smattering of countries, 43% of our spam came from Brazil, 20% from Russia, 13% from the Ukraine, 7% from India, and 2% from Italy. No other country represented more than 1% of the spam we received in this campaign.

Friday, July 03, 2009

Loyal Blog readers will know that the UAB Spam Data Mine has been tracking the Waledac spam campaigns since their onset. We've followed this worm through the Obama inauguration, Valentine's Day, A Fake Grocery Coupon scam, a Fake Reuters story about a terrorist bomb, and an SMS Spy program. Of course ALL of the domains associated with Waledac infection have been registered on ENAME.cn, the horribly managed Chinese registrar who seems to register more domains used in spam and malware than any other registrar on earth! Even though many of the SMS Spy version of the domains are still live, they have been forwarding to Canadian Pharmacy websites recently.

Until today.

Here is a sneak preview of the newest version of Waledac. Although the spam campaign has not yet started, the websites are already displaying this new YouTube page promising "Colorful Independence Day events took place throughout the country". The past tense indicates to us that this campaign probably won't take off until late on the day of July 4th. The video claims to be the "South Shore's Fourth of July fireworks show" which has been named by "The American Pyrotechnics Association" as the best display in the nation.

As with previous versions though, the problem is that when you click "play" on the fake YouTube page, you are invited to run "install.exe". What is that?

Unfortunately, its a demonstration of how Anti-Virus products work. Anti-virus products start to detect a virus when enough people complain about the virus to warrant the addition of the virus to their library of anti-virus signatures. In this case, because the virus hasn't been spammed yet, almost no one has complained, and as a result, almost no one knows that it is a virus. By the time the virus begins to spread on Saturday evening of a holiday weekend, how many anti-virus engineers will be in the shop to write a definition?

Hopefully with a little advance warning, we'll do a better job protecting ourselves this year!

We infected one machine with this version of Waledac to see what happened. The most immediate impact is that we started sending spam. The "install.exe" which we downloaded actually had the SMTP engine built in, so we would say this is the primary purpose. The Waledac executable is also doing huge volumes of peer to peer traffic, as before, talking to many things which seem to be nginx servers (but which are actually nginx Proxy servers.)

In addition to the spam-sending, we made connection to the website "securitytoolspro.com", which downloaded an executable "12690784.exe", which is actually a fake anti-virus product.

The first action of this download is to change our windows wallpaper to look like this:

Then the install begins:

After "scanning" our computer, it asks us to "Remove All Threats", which involves buying the product from a website:

An unpacked version of the Waledac malware can be retrieved from Eureka, which I used to do a lazy man's unpack:

Eureka Report. Clicking the "Strings" tab of that report will provide many hard-coded IP addresses which are part of the "start up" process for the peer to peer network.

UPDATE

We had set our spam traps up to let me know when we got our first Waledac Fireworks spam, and it JUST came in while I was at dinner! (Roughly twelve hours after my initial post of this article PREDICTING this spam campaign.)

The first spam message we received on this campaign was received from a Russian IP address, 94.255.18.91, and used the email subject: "Light up the sky". The body of the message was only one line, as with previous Waledac campaigns, and read: "American Independence Day" and contained a link the virus.

The hostile website in this email was "moviesfireworks.com".

Other email subjects we've seen include:

America the BeautifulCelebrate the spirit of AmericaCelebrating the spirit of our CountryCelebrations have already begunHappy Birthday America!Long Live AmericaSuper 4th!

The single line of text in the bodies of the emails have included:

America the BeautifulBright and joyful Fourth of JulyCelebrate the spirit of AmericaHappy Birthday, America!Long Live AmericaSuper 4th!The best of 4th of July Salute

So, we believe that the same spam template variable is probably being used for the subject line and the email body line.

As with all previous Waledac spam, these are "Fast Flux hosted" on a multitude of IP addresses.

Other Domain Names (DO NOT CLICK!!!!!)

fireworkspoint.commoviesfireworks.commoviefireworks.com

Jeremy from SudoSecure responded to one of my posts with information from his excellent Waledac tracker. I have to point out that his domain list is VERY complete, and that his blog post was one hour earlier than mine. 8-) But we aren't competing . . . 8-)

These are being registered on China Springboard, which is a change of Registrar for Waledac, who has always used ENAME before. Of course the ENAME registrar is still loaded with horrible volumes of spam: